forked from louketo/louketo-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
misc.go
91 lines (73 loc) · 2.8 KB
/
misc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/*
Copyright 2015 All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"encoding/base64"
"fmt"
"net/http"
"path"
"time"
"github.com/gambol99/go-oidc/jose"
"github.com/labstack/echo"
"go.uber.org/zap"
)
// revokeProxy is responsible to stopping the middleware from proxying the request
func (r *oauthProxy) revokeProxy(cx echo.Context) {
cx.Set(revokeContextName, true)
}
// accessForbidden redirects the user to the forbidden page
func (r *oauthProxy) accessForbidden(cx echo.Context) error {
r.revokeProxy(cx)
if r.config.hasCustomForbiddenPage() {
tplName := path.Base(r.config.ForbiddenPage)
err := cx.Render(http.StatusForbidden, tplName, r.config.Tags)
if err != nil {
r.log.Error("unable to render the template",
zap.Error(err),
zap.String("template", tplName))
}
return err
}
return cx.NoContent(http.StatusForbidden)
}
// redirectToURL redirects the user and aborts the context
func (r *oauthProxy) redirectToURL(url string, cx echo.Context) error {
r.revokeProxy(cx)
return cx.Redirect(http.StatusTemporaryRedirect, url)
}
// redirectToAuthorization redirects the user to authorization handler
func (r *oauthProxy) redirectToAuthorization(cx echo.Context) error {
r.revokeProxy(cx)
if r.config.NoRedirects {
return cx.NoContent(http.StatusUnauthorized)
}
// step: add a state referrer to the authorization page
authQuery := fmt.Sprintf("?state=%s", base64.StdEncoding.EncodeToString([]byte(cx.Request().URL.RequestURI())))
// step: if verification is switched off, we can't authorization
if r.config.SkipTokenVerification {
r.log.Error("refusing to redirection to authorization endpoint, skip token verification switched on")
return cx.NoContent(http.StatusForbidden)
}
return r.redirectToURL(oauthURL+authorizationURL+authQuery, cx)
}
// getAccessCookieExpiration calucates the expiration of the access token cookie
func (r *oauthProxy) getAccessCookieExpiration(token jose.JWT, refresh string) time.Duration {
// notes: by default the duration of the access token will be the configuration option, if
// however we can decode the refresh token, we will set the duration to the duraction of the
// refresh token
duration := r.config.AccessTokenDuration
if _, ident, err := parseToken(refresh); err == nil {
duration = time.Until(ident.ExpiresAt)
}
return duration
}